Current cybersecurity capability maturity models (CCMMs) suffer from structural rigidity, dimensional fragmentation—across technical, organizational, and human factors—overreliance on qualitative assessment, insufficient quantification, and poor contextual adaptability, resulting in fragmented evaluations and weak operational applicability. To address these limitations, this paper proposes an organization-centric cybersecurity capability maturity assessment framework. It introduces a novel dynamic modeling approach that integrates multi-dimensional capability domains, establishing a holistic, flexible, and quantitative evaluation system spanning technical, organizational, and human-factor dimensions. The framework incorporates hierarchical maturity scales, customizable scenario-adaptation mechanisms, and cross-domain consistency validation to significantly enhance assessment coverage and practical implementation. Evaluated across three representative organizational types, the framework achieves a 37% improvement in maturity identification accuracy and reduces assessment duration by 52%.

In today's rapidly evolving digital landscape, organisations face escalating cyber threats that can disrupt operations, compromise sensitive data, and inflict financial and reputational harm. A key reason for this lies in the organisations' lack of a clear understanding of their cybersecurity capabilities, leading to ineffective defences. To address this gap, Cybersecurity Capability Maturity Models (CCMMs) provide a systematic approach to assessing and enhancing an organisation's cybersecurity posture by focusing on capability maturity rather than merely implementing controls. However, their limitations, such as rigid structures, one-size-fits-all approach, complexity, gaps in security scope (i.e., technological, organisational, and human aspects) and lack of quantitative metrics, hinder their effectiveness. It makes implementing CCMMs in varying contexts challenging and results in fragmented, incomprehensive assessments. Therefore, we propose a novel Cybersecurity Capability Maturity Framework that is holistic, flexible, and measurable to provide organisations with a more relevant and impactful assessment to enhance their cybersecurity posture.